Getting Data In

Audit who makes changes to Active Directory

New Member


I'm looking into using Splunk to report on Active Directory. I've installed the free edition on a test domain & set it up to monitor the directory schema. It seems to be picking up events but I'm unable to find any information about who makes changes (e.g. account create/delete) - is this possible at all?

Thanks in advance for any advice

0 Karma


You should install and look at this app first :


0 Karma

New Member

Hi there,

I know this is an old thread but I am having the same issue as above.
I have installed the windows security operations center app but it doesn't display which user made the changes to an AD object. I have tested Netwrix and that application can find the user details with no problem (so I know it is not an auditing settings problem)
Any help would be much appreciated.


Mark B

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...